New hacking technique exploits common NULL programming error

By Dennis Fisher, Executive Editor 21 Apr 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

A new generic method for exploiting a common problem in software code that was previously thought to be prohibitively difficult to attack is generating a wave of concern and surprise in the security community.

People have assumed that these high-level languages weren't vulnerable to memory corruption because they don't work directly with memory. Thomas Ptacek, principal, Matasano Security

The new method is the work of Mark Dowd, a researcher on IBM ISS's X-Force team, and it can be used to reliably exploit NULL pointer dereferences, a very common condition in many applications.

The condition occurs when an application tries to access a location in memory that has nothing in it, which results in it returning a value of NULL. Programs typically crash when this happens, but Dowd has found a way to exploit the condition—specifically designed for Flash, but also possible in other applications—whenever the application forgets to check whether the memory allocation failed. The attacker then has the ability to control where in memory the application writes to, within some specific constraints.

And while the ability to reliably exploit these conditions is a major advance, researchers say, the other important aspect of Dowd's work is that it puts the lie to the belief that high-level programming languages such as Java, JavaScript, C# and others are not vulnerable to memory corruption. Flash, where Dowd tested his exploit, is written in ActionScript, a scripting language based on JavaScript. It has been commonly thought that, in general, only low-level languages such as C are vulnerable to memory-corruption attacks. That no longer seems to be the case.

Hacking techniques: Security Wire Weekly Special - New hacking technique: In an interview at the Gartner IT Summit in Washington, Yuval Ben-Itzhak, chief technology officer of security vendor Finjan, talks about a newly discovered hacking technique. Hacking technique exploits common programming error: Researchers at Watchfire Inc. say they discovered a new technique that exploits a common dangling pointer error. New hacking technique shields attackers: A new report issued by UK-based security vendor Finjan shows that attackers are using IP addresses to mask a malicious Web page and avoid detection. Google hacking exposes a world of security flaws: In this tip, contributor Scott Sidel examines Goolag, a open source security tool that assists security pros in finding flaws in websites through Google hacking.

"People have assumed that these high-level languages weren't vulnerable to memory corruption because they don't work directly with memory. What Mark did that's even creepier than the NULL pointer thing is he found a way to make them vulnerable to memory corruption," said Thomas Ptacek , a principal at Matasano Security, who wrote a long explanation of Dowd's paper recently. "So when you think about it, that means that the status of high-level languages as safe is no longer true."

Ptacek points out that many of today's applications, from Web browsers to server platforms, are written using a combination of these languages, and JavaScript is especially prominent in Web applications. So the ability to exploit these common conditions in the myriad high-level languages floating around today is a significant advance.

"NULL pointers have been one of the holy grails because you see them all the time," Ptacek said. "Writing the exploit is very difficult. But writing the second one is difficult, and writing the third one it starts to get easier. What Mark did is go ten steps beyond where any other vulnerability researcher would have stopped. It's amazing. And it's a much bigger deal because nothing is written in C anymore, so finding that these high-level languages are vulnerable is huge."

Dowd's paper, published earlier this month, deals specifically with a recent flaw that IBM ISS discovered in the Flash player. In it, he shows how an attacker could use the NULL pointer issue to compromise a machine, and says that the attack should work on both Firefox and Internet Explorer. He also adds that the ASLR feature in Windows Vista, which provides binaries with a random address in memory to avoid exploitation, does not prevent the attack because Flash is not compiled with a specific switch ASLR requires.

Tags: Software Development Methodology,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software Development Methodology Microsoft extends SDL program, adds Agile development template Malware in Google attacks uses spaghetti code Self-defending Web applications thwart attacks Information security book excerpts and reviews Software piracy group offers cash to whistleblowers Quiz: How to build secure applications How to detect software tampering Developers Need Help with Security Errors Should security tests be part of a software quality assurance program? Does an EULA make it truly illegal to decompile software? Application Attacks (Buffer Overflows, Cross-Site Scripting) Latest zero-day attacks only target IE 6, Microsoft says Social networking security: Twitter, Facebook hacker attacks climbing Web application attacks security guide: Preventing attacks and flaws How to stop buffer-overflow attacks and find flaws, vulnerabilities Preventing and stopping SQL injection hack attacks Distributed denial-of-service protection: How to stop DDoS attacks Prevent cross-site scripting hacks with tools, testing Firefox, Opera, Safari browsers top list of high risk software Information security book excerpts and reviews Quiz: How to build secure applications Application Attacks (Buffer Overflows, Cross-Site Scripting) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary